I have set the permissions of the back reference view to a certain role.
Anonymous users and other roles are not allowed to see the back references.
If I use the tab referrer type, the tab itself is always shown. If I click on the tab, I get a warning because I changed the permissions of the view.
The same happens when I use the fieldset referrer type.
Only when I choose for the content field option I am able to hide the back references without an error message.

I prefer to use the tab method. How can I hide the tab for users that do not have permission to access the view?

Comments

There's a @todo note in the code (noderelationships.module) about this.

/**
* Access callback for the node relationships tab.
*
* @see noderelationships_menu()
*/
function noderelationships_backref_access($referred_node) {
// Deny access if the user does not have access to view the referred node.
if (!node_access('view', $referred_node)) {
return FALSE;
}
// Include common module functions.
module_load_include('inc', 'noderelationships');
// Obtain back reference settings for this type.
$backref_settings = noderelationships_settings_load($referred_node->type, 'backref');
// Deny access (meaning the tab is not visible) when the node type
// does not have back references enabled for this region.
if (empty($backref_settings['regions'][NODERELATIONSHIPS_BACKREF_REGION_TAB])) {
return FALSE;
}
// Ok, the user is allowed to view the node and this type has potential
// back references, so we can grant access to the relationships tab.
// @todo: Find out a way to hide the relationships tab if THIS node does
// not have real back references. The problem here is that a series of
// SELECT COUNT(*) queries would affect performance, so we would have to
// use a summary field or something similar. But this information would
// have to be updated when a nodereference is added, changed or removed
// from the database.
return TRUE;
}

Ok, so we also need to deal with views where the user does not have access to prevent access denied errors. But still, we need to find a way to cache this information because this function could impact performace.

I'm turning this issue into a feature request, but postponed until there's a patch for review. I'm not sure I'll have the time for this in the short term though.

Ok, I have committed to CVS a small change that allows external modules deny access (and hide) the Relationships tab. All you need to do is implement hook_noderelationships_backref_access() in a custom module as in this example:

function mymodule_noderelationships_backref_access($node) {
if ( /* Condition to check if the current user has access to the Relationships tab for this node. */ ) {
return FALSE;
}
}

This fix is not included in noderelationships 6.x-1.2. It should be available in the next development snapshot.